Data Processing Agreement

Last updated: January 2026

1. Data Controller

theStacc Inc. acts as the data controller for personal data processed through our platform. We determine the purposes and means of processing your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

2. Types of Data Processed

In the course of providing our services, we process the following categories of data:

  • Account data: Name, email address, company name, billing address.
  • Usage data: Service interactions, content generation history, feature usage patterns.
  • Business data: Website URLs, keywords, business descriptions you provide to configure our services.
  • Technical data: IP addresses, browser type, device identifiers, and other log data.

3. Legal Basis for Processing

We process your personal data on the following legal grounds: (a) Contractual necessity - processing required to deliver the services you have subscribed to; (b) Legitimate interests - improving our platform, fraud prevention, and security; (c) Legal obligation - compliance with applicable laws; and (d) Consent - for optional communications and non-essential cookies where required.

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Upon account termination, we will delete or anonymize your personal data within 90 days, unless we are required to retain it for longer to comply with legal obligations, resolve disputes, or enforce our agreements.

5. Third-Party Processors

We engage trusted third-party sub-processors to help deliver our services, including cloud infrastructure providers, payment processors, and AI model providers. All sub-processors are bound by data processing agreements and are required to implement appropriate security measures. A current list of sub-processors is available on request.

6. Cross-Border Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where we transfer data from the European Economic Area, we rely on Standard Contractual Clauses or other appropriate safeguards as recognized under GDPR to ensure an adequate level of protection.

7. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of access - request a copy of the data we hold about you.
  • Right to rectification - request correction of inaccurate or incomplete data.
  • Right to erasure - request deletion of your personal data in certain circumstances.
  • Right to restriction - request that we limit how we use your data.
  • Right to data portability - receive your data in a structured, machine-readable format.
  • Right to object - object to processing based on legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Contact

For data protection enquiries, please contact our team at [email protected].